Views:

Create, import, and manage filters to detect events in your environment.

Important
Important
You can have up to 50 custom filters.
Custom Filters (XDR Threat InvestigationDetection Model ManagementCustom Filters) allows you to import and create custom filters that Trend Vision One can use to detect events in your environment and enable custom models to trigger Workbench alerts.
The following table outlines the actions available on the Custom Filters tab.
Action
Description
Add a custom filter
Click Add to create a custom filter.
Import custom filters
Click Import Filters (import_icon=94824c33-cb60-46ee-a9fd-27abd38ff0ed.png) to import YAML files containing custom filters.
Imported YAML files must follow the Trend Micro Sigma specification. Each YAML file must contain one filter only.
Export select custom filters
Select one or more filters, then click Export Selected Filters to export your filters into a .zip file containing a YAML file for each selected custom filter.
When the export completes, click dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png in the Export Custom Filters window to copy the password needed to open the .zip file.
Export all custom filters
Click export_button=GUID-C683DEEE-C19C-484D-A5B1-4CA9D1794756=1=en-us=Low.jpg to export all your filters into a .zip file containing a YAML file for each custom filter.
When the export completes, click dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png in the Export Custom Filters window to copy the password needed to open the .zip file.
Filter custom filter data
Use Search and filters to locate specific custom filters.
  • Severity: The user-defined severity of the filter
  • Event type: The event type of the filter
  • Last updated: The period of time when the detection model was last updated
  • Search: Provides partial matching for event ID, name, vendor, or query
See the details of a filter
Click a filter name to view detailed information about the custom filter.
Important
Important
An information icon (disabled=6e5bd66a-4b63-4096-867e-128dce2c0ebf.jpg) next to the filter name indicates the filter is disabled due to excessive execution time, which may negatively affect associated models.
Edit the query in the filter event settings to enable the filter.
Edit a custom filter
Click edit_icon=GUID-1F1D1164-5310-4D6D-ACD0-6049C86960AF.png to edit a custom filter.
WARNING
WARNING
Changing a custom filter affects how any model that uses the filter triggers custom Workbench alerts.
Delete a custom filter
Click trash_icon=GUID-47cf6867-6315-438e-8670-86ff36f22a28.png to delete a custom filter.
You can only delete custom filters that are not included in any model.
Related information